Mobile app version of vmapp.org
Login or Join
Hamaas447

: Firefox 31 not loading SSL site Firefox 31 was released yesterday, and it seems like it has a problem with SSL: Secure Connection Failed An error occurred during a connection to api.joeyco.com.

@Hamaas447

Posted in: #Nginx #Openssl

Firefox 31 was released yesterday, and it seems like it has a problem with SSL:

Secure Connection Failed

An error occurred during a connection to api.joeyco.com. SSL peer selected a
cipher suite disallowed for the selected protocol version.
(Error code: ssl_error_cipher_disallowed_for_version)

The page you are trying to view cannot be shown because the authenticity of
the received data could not be verified.


What I tried to resolve the problem: Update to "OpenSSL 1.0.1h 5 Jun 2014", Reinstall nginx,
Reinstall PHP, Regenerate certificates.

I even went through this page. What am I missing here? How can I find out for certain if nginx is actually using the correct OpenSSL?

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Hamaas447

2 Comments

Sorted by latest first Latest Oldest Best

 

@Deb1703797

It is not recommended to mess with that global security setting, but add trusted hosts instead if you really need to.

See this link for information about 'Renegotiation' (CVE-2009-3555):
wiki.mozilla.org/Security:Renegotiation https://wiki.mozilla.org/Security:Renegotiation#security.ssl.renego_unrestricted_hosts

You can look at the security.ssl.renego_unrestricted_hosts pref on the about:config page and add the sites that you want to allow to the string value.

Separate multiple host names by a comma.

10% popularity Vote Up Vote Down


 

@Michele947

Actually your website has a problem of using insecure SSL ciphers.

You should configure the ciphers in your web server like this:

ssl_prefer_server_ciphers On;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;


Credit for the configration goes to hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ .

You should also consider removing SSLv3 from ssl_protocols, since it is not that safe either. IE6 users running Windows XP won't be able to connect to your site if you have SSLv3 disabled.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme